Indochine Counsel

This article covers the promulgation of Decree 53 on the implementation of the cybersecurity law in Vietnam. By Dang The Duc and Thai Gia Han.

Despite the fact that the promulgation of Decree 53 on the implementation of the cybersecurity law is verging on old news, I wanted to share the information prepared by our firm here because it is an extremely important development in the sphere of cybersecurity in Vietnam. Dang The Duc and Thai Gia Han prepared the original brief that can be found here. I have emphasized some sections and added my thoughts as well, specifically in relation to the new scheme for data localization in Vietnam.

Enjoy.

Long-awaited Decree Implementing the Cybersecurity Law Finalized at Last

By Dang The Duc and Thai Gia Han (annotated by Steven Jacob)

After the initial promulgation of the Law on Cybersecurity No. 24/2018/QH14 (the “Cybersecurity Law”) in the middle of 2018, which appeared to impose a strict requirement for data localization in Vietnam, the government of Vietnam has toyed with rolling back the onerous letter of the law. For a year, the Government released two different versions of an implementation decree for the Cybersecurity Law. The second of those, issued in August 2019 (the “Last Draft Decree”) left the Ministry of Public Security options as to how it wanted to treat certain provisions of the Cybersecurity Law and, specifically, the data localization requirement. Then, last month, the government finally issued an officially adopted and promulgated implementation decree. Decree No. 53/2022/ND-CP dated 15 August 2022 (“Decree 53”) details articles of the Cybersecurity Law and takes effect, with little leeway for foot dragging, on 1 October 2022. This article will review some of the important provisions of Decree 53.

Official “shape” of Decree 53

In general, Decree 53 comprises six chapters with 30 articles. A new schedule has been attached which provides templates that are required for applications legislated in the decree itself.

While Decree 53 contains a number of definitions, a handful that are most relevant include:

  • service user” used to apply to any person participating in cyberspace. Now it covers organizations and individuals who use services in cyberspace, a narrowing of the application subjects of Decree 53.
  • data generated by a service user in Vietnam” is limited to Prescribed Data (defined below) whose source lies within the territory of the Socialist Republic of Vietnam;
  • “cybersecurity task force” (“CTF”) includes the Department of Military Security Protection and the General Political Department; and
  • Definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.

Major highlights

Cybersecurity inspection obligation (Article 16, Decree 53)

Decree 53 no longer states that cybersecurity inspections are technical methods to be applied by administrators of information systems in their operation and use of such information systems. Despite this exception, administrators remain liable due to the basic hierarchy of legislation which provides that where a specialized law is silent, the general law will apply. In this case, Article 17.2(a) of the Cybersecurity Law governs.

Deletion of unlawful or false information in cyberspace (Article 19, Decree 53)

Finding its roots in the Cybersecurity Law, Decree 53 requires service providers to delete data which infringes national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals.

This cybersecurity protection method is instigated by the heads of competent agencies attached to the Ministry of Information and Communications (“MOIC”) are now additional competent agencies allowed to apply these cybersecurity protection methods, in addition to the Director of the Department of Cybersecurity and Hi-tech Crime Prevention (the “DCHCP”) under the Ministry of Public Security (the “MPS”). Moreover, the MOIC, DCHCP, and MPS are all entitled to actively exchange and share information in respect of its implementation, save for information which falls within the scope of State secrets or professional requests of the MPS. Finally, the CTF under the Ministry of Defense has the responsibility for application of cybersecurity protection methods in relation to military information systems.

Requirements on data localization and branch/representative office establishment

Types of information to be stored

Information required to be stored in Vietnam comprises three main types, namely: (i) personal information of service users in Vietnam; (ii) data generated by service users in Vietnam; and (iii) data regarding the relationships of service users in Vietnam (the “Prescribed Data”). Data generated by service users in Vietnam includes registered phone numbers attached to accounts used for utilizing the service or attached to relevant data [in general].

Enterprises and services subject to the requirements

Decree 53 clearly requires that all domestic enterprises, which includes joint ventures and wholly Vietnamese owned enterprises, must store the Prescribed Data within the territory of Vietnam.

Foreign enterprises who provide services that collect data will be subject to the requirement on data localization and the establishment of a branch / representative office (the “Requirement”) if the following conditions are all met:

  • The foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include: (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat;
  • The services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and
  • Such foreign enterprise has been informed and requested in writing by the DCHCP under the MPS for cooperation in handling / preventing such breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.

One additional condition which remains applicable as a provision of the Cybersecurity law is that of “having activities of collecting, exploiting, analyzing and processing” the Prescribed Data, which expands the reach of the Requirement to include information from third parties that may be used by foreign enterprises.

Concessions by the Government

The requirement for data localization and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Cybersecurity Law. Acknowledging this situation, the Government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements. In particular:

  • If unable to comply with the Requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to enact remedial measures;
  • Enterprises are entitled to decide on the form of data storage within Vietnam; and
  • Time for compliance with the Requirement by foreign enterprises has been extended to 12 months from the date of a decision by the MPS Minister on data storage and/or branch/representative office establishment (the “MPS Decision”) for that enterprise.

Non-compliance will be subject to sanctions. However, no specific regulation on applicable sanctions has been provided.

Required period of storing data and maintaining a branch/representative office

For data storage, instead of regulating specific storage periods for each type of Prescribed Data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS Decision, and lasts until the request is terminated, with a minimum floor of twenty-four (24) months.

For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS Decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.

Potential Impacts

For four years foreign enterprises have consistently inquired as to the data localization requirements under the Cybersecurity Law. Interpretations have varied considerably, from a requirement that all foreign enterprises must store all data within the territory of Vietnam to lesser interpretations which considered types of data and requirements from the MPS. The two draft decrees that saw the light of day in the interstices, did little to relieve concerns.

Only with Decree 53 has the government finally provided clarity on what requirements will be imposed on foreign enterprises. No longer is the law as open ended and broad as assumed under the Cybersecurity Law. Rather, it applies only to foreign enterprises who are uncooperative with specific government agencies. Even then, they will have 12 months to relocate their data and open a branch or representative office.

Despite the solidifying of the requirements, Decree 53 stings. It in effect creates a long arm which can reach foreign enterprises trying to provide services or access the Vietnam market. While it is uncertain whether the authorities will have the power to deny nationwide access to delinquent foreign enterprises, the specter of such a penalty does exist. No Great Wall, this may prove to be the next best thing as it will allow the authorities to take action against foreign enterprises publishing or posting information that is “undesirable” to the government. But hey, at least they’ll get 12 months.

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Indochine Counsel

Established in October 2006, Indochine Counsel is a leading commercial law firm in Vietnam. Offering services throughout Vietnam, Indochine Counsel is ideally positioned to assist international investors and foreign firms to navigate the legal landscape in one of Asia's most dynamic and exciting countries. We also take pride in our services offered to domestic clients in searching for opportunities abroad. With over 45 lawyers and staff in two offices, Ho Chi Minh City and Hanoi, Indochine Counsel offers expertise in a dozen practice areas and provides assistance throughout the entire life cycle of your business.

Based on the principles of Excellence, Professionalism and Ethical Lawyering, Indochine Counsel strives to give clients quality service in a timely manner. Our lawyers have been trained all over the globe and have experience with both local and international law firms. Indochine Counsel takes pride in its people and works hard to ensure that they have the support and training necessary to work at the peak of excellence.

Indochine Counsel’s objective is to provide quality legal services and add value to clients through effective customized legal solutions that work specifically for the client. The firm represents local, regional and international clients in a broad range of matters including transactional work and cross-border transactions. The firm’s clients are diverse, ranging from multinational corporations, foreign investors, banks and financial institutions, securities firms, funds and asset management companies, international organizations, law firms to private companies, SMEs and start-up firms.

Click here to view the author's profile

Author

Tags

  • Vietnam
  • State, Government, Laws & Economy
  • Internet & Social Media
  • General
  • Foreign Investment Specific
  • Legal Updates
  • Data Protection & Privacy
  • Information Technology

Related Content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.